Add unsafeHtml option for extensions to use on trusted input

2018-03-15 10:42:29 +00:00 · 2018-03-15 10:42:29 +00:00 · e6444bb57e
parent a3265e7c6f
commit e6444bb57e
3 changed files with 45 additions and 2 deletions
--- a/Parsedown.php
+++ b/Parsedown.php
@ -1488,7 +1488,20 @@ class Parsedown
            }
        }

+        $unsafeHtml = false;
        if (isset($Element['text']))
+        {
+            $text = $Element['text'];
+        }
+        // very strongly consider an alternative if you're writing an
+        // extension
+        elseif (isset($Element['unsafeHtml']) and !$this->safeMode)
+        {
+            $text = $Element['unsafeHtml'];
+            $unsafeHtml = true;
+        }
+
+        if (isset($text))
        {
            $markup .= $hasName ? '>' : '';

@ -1499,11 +1512,15 @@ class Parsedown

            if (isset($Element['handler']))
            {
-                $markup .= $this->{$Element['handler']}($Element['text'], $Element['nonNestables']);
+                $markup .= $this->{$Element['handler']}($text, $Element['nonNestables']);
+            }
+            elseif ($unsafeHtml !== true or $this->safeMode)
+            {
+                $markup .= self::escape($text, true);
            }
            else
            {
-                $markup .= self::escape($Element['text'], true);
+                $markup .= $text;
            }

            $markup .= $hasName ? '</'.$Element['name'].'>' : '';
--- a/test/ParsedownTest.php
+++ b/test/ParsedownTest.php
@ -1,4 +1,5 @@
 <?php
+require 'UnsafeExtension.php';

 use PHPUnit\Framework\TestCase;

@ -55,6 +56,17 @@ class ParsedownTest extends TestCase
        $this->assertEquals($expectedMarkup, $actualMarkup);
    }

+    function testUnsafeHtml()
+    {
+        $markdown = "```php\nfoobar\n```";
+        $expectedMarkup = '<pre><code class="language-php"><p>foobar</p></code></pre>';
+
+        $unsafeExtension = new UnsafeExtension;
+        $actualMarkup = $unsafeExtension->text($markdown);
+
+        $this->assertEquals($expectedMarkup, $actualMarkup);
+    }
+
    function data()
    {
        $data = array();
--- a/test/UnsafeExtension.php
+++ b/test/UnsafeExtension.php
@ -0,0 +1,14 @@
+<?php
+
+class UnsafeExtension extends Parsedown
+{
+    protected function blockFencedCodeComplete($Block)
+    {
+        $text = $Block['element']['text']['text'];
+        unset($Block['element']['text']['text']);
+
+        $Block['element']['text']['unsafeHtml'] = "<p>$text</p>";
+
+        return $Block;
+    }
+}